BEST IT Security and Auditing Software 2007

Since we have started IT security auditing and assessment, we have tested and used tons of tools, utilities and softwares. A lot of them were discontinuted, closed their code or just bought by vendors. But (hopefully), the best are still alive.

Now, by the end of the year 2007, i become slightly melancholic and decide to release a survey of the most efficient IT Security Softwares for auditors, security administrators and pentesters.

However, I deeply think that every little script or utility wrote by individual developer or hacker is a gem. Just take a look at sourceforge project repositories to be amazed. They will continue to serve us for years to come.

— Happy New Year.

Scoring criteria

This survey was based upon specific criteria, so the classification reflects only our opinion at the moment of writing this article.

Criteria Comment
Audience Target IT Auditors, pentesters, IT technical staff, IT Management staff
Software features Built-in features , capabilities and options.
Updates and maintenance Frequency of updates (database, signature, plugins and addons). Maintenance ( bug fixes, bug reporters, support...). Future releases and roadmap.
Use of standards and metrics Use of security metrics and standards (CVE, CVSS, XCCDF, OVAL, CPE, SANS TOP20, OWASP..)
Reporting Dashboards, charting and graphing, types of report export (HTML, XML, PDF..)
Security-Database Track Popularity Average of visits and downloads. Based on our internal stats during the year 2007.


Penetration Tests

Open source and Free Softwares

Category Best Recommended/Excellent
Information Gathering Maltego GUI and Web based ex aequo : SEAT (Search Engine Assessment Tool)) & RevHosts
Protocol mappers NMap THC-Amap
Vulnerability scanners Tenable Nessus Saint Scanner Basic release
Application scanners W3AF : Web Application Attack Audit Framework ex aequo: Paros Proxy & Nikto
Exploiters Metasploit 3.x ex aequo: Inguma & Milw0rm WebSite
Wireless hacking ex aequo: AirCrack-NG & AirCrack PTW AiroScript
LiveCDs BackTrack 2.x and 3.x ex aequo: NST (Network Security Toolkit) & OSWA (Organizational Systems Wireless Auditor)


Document Best Recommended/Excellent
Network and System testing OSSTMM NIST SP 800-115
Application testing OWASP Guides WebAppSec papers
Testing Framework PTF Penetration tests Framework N/A
Testing Framework WTF Wireless Testing Framework N/A


Security Assessment

Open source and Free Softwares

Category Best Recommended/Excellent
Windows auditing OVAL Interpreter ex aequo : Belarc Advisor & WinAudit & SysInternals
Unix auditing ex aequo : CIS Scoring Tools & Tiger Security Tool ex aequo : Babel Enterprise & OVAL Unix interpreters (Sussen, Debian, Fedora, OpenSuse)
Filtering devices Nipper NCat
Password Cracking Cain and Abel OphCrack Suite
Code auditing FindBugs Pixy
Wireless testing OSWA Russix
Database auditing THC-Oracle SQL Power Injector
Application auditing OWASP LabRat OWASP Cal9000
VoIP auditing SiVus Cain and Abel


Document Best Recommended/Excellent
Publications NIST CSRC documents
Security Checklists DISA STIGs ex aequo: CIS Checklists & AuditNet Resources


Commercial Softwares - Best OFF

Category Best Recommended/Excellent
Penetration Tests Core Impact Saint Suite (Saint scanner and SaintExploit)
Application tests Acunetix Web Vulnerability Scanner WebInspect
Compliance Scanners LAnGuard NSS Tenable Security Center


Links and references

Open source and free softwares

Name Link
Nessus & Tenable products
Saint Scanner and SaintExploit
Paros Proxy
Milw0rm Resources
AirCrack-PTW CDC informatik darmstadt
OSWA Assistant
OVAL Interpreters
Belarc Advisor
Sussen OVAL
CIS Scoring Tools and Checklists
Tiger Security Suite
Babel Enterprise
Nipper Network Infrastructure Parser
Cain And Abel
Pixy PixyBox WebSite
THC Utilities
SQL Power Injector


Commercial softwares

Name Link
Core Impact
LanGuard NSS
Acunetix WVS

Methodologies and references

Name Link
OWASP Software and Methodology
PTF Penetration tests Framework
WTF Wireless Testing Framework
WebAppSec documents
NIST Releases
AuditNet Resources

Survey realised with Security-Database Tools Watch Service Statistics.

Copyright © 2008